This post was written by Daniel Kadar.

A new regulation of the CNIL, dated 12 June 2012 and published on 13 July 2012, modifies the ways and means of collecting and processing client/prospect-related data.

  1. The regulation, issued as an amendment to the “Simplified Norm No. 48” [], broadens the possibility for data controllers to make a simplified notification to the CNIL (in which the data controller barely confirms adherence to the rules of such regulation) rather than using the regular notification process.

    In addition to client prospecting activities, the new regulation explicitly mentions audience measurement, quality measurement activities and sweepstakes (with the explicit exception of online gambling). Banking and insurance activities, as well as health or education-related activities, are excluded from the scope of this Simplified Norm.

  2. The main improvement of this new regulation is to impose differentiated data retention periods depending on the nature of the data to be processed. In that regard, prospecting data related to prospects is now aligned to the data retention period for client prospecting material, and can now be retained three years after their collection, compared to one-year period that previously applied. The regulation adds that the data controller will have the option to renew this retention period for another three years if the explicit consent of the data owner is obtained.

    Data evidencing the existence of a right or of a contract can be kept five years after contract termination. Accounting documents can be kept 10 years.

    Among other categories, credit card-related data can be retained for a maximum of 13 months after the transaction (15 months for a deferred debit card) as evidence.

    The retention period of audience measurement data is six months after their collection. Cookies can be retained during the same period of time.

  3. The regulation also provides important specification as to the way to handle prospecting activities:
    • The client/prospect must in all cases be informed of the purpose of the collection of his/her data by the data controller and of his/her right of access, modification or opposition with the indication of a valid address in that regard.
    • In addition, any kind of automated prospecting (email, SMS, MMS) is subject to the data owner’s consent. The regulation adds that it is not sufficient to include such provisions in the General Terms of Use / General Conditions. Consent must therefore be explicit and separate.
    • Prospecting with “human intervention” can only be done if the data owner is granted the right to oppose “in a simple manner” such processing.
  4. Whilst this Simplified Norm allows the transfer of data to non-EU countries provided that the data importer has agreed to guarantee an EU-equivalent level of data protection (through Safe Harbor membership,where applicable), the subscription of a data transfer agreement including the EU-model clauses or by implementing binding corporate rules (BCRs), it shall not apply to any data processing “likely to exclude a data owner from the benefit of a right or from a contract or service.” In such case, the CNIL will require an authorization procedure.
  5. This new regulation, which amends the “Simplified Norm No. 48,” will force a number of data controllers to adapt their internal procedures, in particular as to data retention periods. The CNIL has therefore imposed a transition period of 12 months from the date of publication of the new regulation (i.e. until 13 July 2013).